Hackers increasingly ignore restrictions of commercial malware developers

Commercial malware is predominantly used by financially motivated clusters (73% of all instances detected by BI.ZONE in the first six months of 2024) who want to either get a ransom from their victims or sell the stolen data on the dark web. Much smaller (14%) is the share of espionage actors while hacktivists account only for 3%. In another 10% of instances, adversaries have mixed motives.

About 5% of all clusters targeting companies in Russia and other CIS countries with commercial malware, violate the developers’ restrictions and use the programs to attack organizations in the said region. Such restrictions may be attributed to the fact that the developers reside in a CIS country and want to make themselves less traceable and more immune to prosecution.

The trend to violate the developer restrictions and tweak the malware emerged in 2023 and became more obvious in early 2024. An example of this trend is Stone Wolf, a cluster of activity recently uncovered by the BI.ZONE Threat Intelligence team.

The emails contain a ZIP archive with a digital signature file, a decoy document, and, disguised as a PDF file, a download link to Meduza Stealer. Once installed on the victim’s computer, the malware collects information about the operating system, processor, RAM, and other parameters of the compromised device. It also retrieves account credentials data from browsers and crypto wallets, collects lists of installed applications, etc.

Meduza Stealer first appeared on underground resources in June 2023. One-month, three-month, and lifetime subscriptions were sold for $199, $399, and $1,199, respectively. In March 2024, additional options became available; for instance, a dedicated server with а range of variables (the number of cores, size of RAM, and amount of disk space) could be rented for as little as $20.

Usually, when it becomes known that a particular malware has been used against CIS companies, its sales get blocked on underground forums, and its developers move their business to Telegram.

Thus, in August 2023, BI.ZONE Threat Intelligence published a research on the White Snake stealer. The adversaries distributed the malware via phishing emails posing as some requirements from Roskomnadzor (Federal Service for Supervision of Communications, Information Technology and Mass Media) and attacked Russian companies despite the developer’s restrictions. Soon after the publication, the White Snake thread on a popular underground forum was suspended, confining the developer’s sales to its Telegram channel. Currently, the cost starts at $200 per month and can go up to $1,950 for a lifetime license.

A similar situation was with the Rhadamantys stealer, with its prices ranging from $59 per week to $999 for a lifetime license. Its sales were suspended on underground resources this April, after it had been revealed that the Sticky Werewolf cluster employed Rhadamantys to attack organizations in Russia and Belarus.

If adversaries bypass preventive security solutions and penetrate the infrastructure unnoticed, it is crucial to neutralize the threat before it causes significant damage to business. Endpoint protection solutions such as BI.ZONE EDR enable early detection of attacks and immediate incident response, either automated or manual. To ensure the precision of your security solutions, accelerate incident response, and thereby protect your company from the most critical threats, we would recommend that you leverage data from cyber intelligence portals; for instance, BI.ZONE Threat Intelligence.